mystic | 775b7a04793f8621742cc362f51bef7b4d75b10169fa3493b7c9f713d38fa73d

Analysis

max time kernel
149s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
21/10/2023, 21:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.30ec8753ba08b1b439e43e84a4f02e90.exe
Size

1.1MB
MD5

30ec8753ba08b1b439e43e84a4f02e90
SHA1

a872df7ec9adaa22035b161ce6dad745e89a5a5b
SHA256

775b7a04793f8621742cc362f51bef7b4d75b10169fa3493b7c9f713d38fa73d
SHA512

593f922e0291eb7127041f4ce9868924817a3534d4dc67d69bc11127b721f2f33bb477654f4d74828d004d29c5862acf9f3022b706f2080cf238b8506325bd60
SSDEEP

12288:+MrQy90QW+wWzj3Q6ks5eE/2NowcE/WEaDSEHxm5QsVGdqZnZQqHSqSyHU8GB88j:CyUQrtJE/WEsSWI3VlZQuhGBPni3O5t

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/3112-28-0x0000000000400000-0x0000000000433000-memory.dmp	family_mystic
behavioral2/memory/3112-29-0x0000000000400000-0x0000000000433000-memory.dmp	family_mystic
behavioral2/memory/3112-30-0x0000000000400000-0x0000000000433000-memory.dmp	family_mystic
behavioral2/memory/3112-32-0x0000000000400000-0x0000000000433000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x0006000000022e3d-34.dat	family_redline
behavioral2/files/0x0006000000022e3d-35.dat	family_redline
behavioral2/memory/4768-36-0x0000000000E20000-0x0000000000E5E000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

pid	Process
1128	YN6ZE6SU.exe
4072	sf3YE1mZ.exe
1228	Gm7Ih8Fp.exe
880	1Jw66Oq4.exe
4768	2xW389rQ.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.30ec8753ba08b1b439e43e84a4f02e90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	YN6ZE6SU.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	sf3YE1mZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Gm7Ih8Fp.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 880 set thread context of 3112	880	1Jw66Oq4.exe	94

Program crash 3 IoCs

pid	pid_target	Process	procid_target
308	3112	WerFault.exe	94
2404	3112	WerFault.exe	94
5100	880	WerFault.exe	90

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3440 wrote to memory of 1128	3440	NEAS.30ec8753ba08b1b439e43e84a4f02e90.exe	87
PID 3440 wrote to memory of 1128	3440	NEAS.30ec8753ba08b1b439e43e84a4f02e90.exe	87
PID 3440 wrote to memory of 1128	3440	NEAS.30ec8753ba08b1b439e43e84a4f02e90.exe	87
PID 1128 wrote to memory of 4072	1128	YN6ZE6SU.exe	88
PID 1128 wrote to memory of 4072	1128	YN6ZE6SU.exe	88
PID 1128 wrote to memory of 4072	1128	YN6ZE6SU.exe	88
PID 4072 wrote to memory of 1228	4072	sf3YE1mZ.exe	89
PID 4072 wrote to memory of 1228	4072	sf3YE1mZ.exe	89
PID 4072 wrote to memory of 1228	4072	sf3YE1mZ.exe	89
PID 1228 wrote to memory of 880	1228	Gm7Ih8Fp.exe	90
PID 1228 wrote to memory of 880	1228	Gm7Ih8Fp.exe	90
PID 1228 wrote to memory of 880	1228	Gm7Ih8Fp.exe	90
PID 880 wrote to memory of 3112	880	1Jw66Oq4.exe	94
PID 880 wrote to memory of 3112	880	1Jw66Oq4.exe	94
PID 880 wrote to memory of 3112	880	1Jw66Oq4.exe	94
PID 880 wrote to memory of 3112	880	1Jw66Oq4.exe	94
PID 880 wrote to memory of 3112	880	1Jw66Oq4.exe	94
PID 880 wrote to memory of 3112	880	1Jw66Oq4.exe	94
PID 880 wrote to memory of 3112	880	1Jw66Oq4.exe	94
PID 880 wrote to memory of 3112	880	1Jw66Oq4.exe	94
PID 880 wrote to memory of 3112	880	1Jw66Oq4.exe	94
PID 880 wrote to memory of 3112	880	1Jw66Oq4.exe	94
PID 3112 wrote to memory of 308	3112	AppLaunch.exe	98
PID 3112 wrote to memory of 308	3112	AppLaunch.exe	98
PID 3112 wrote to memory of 308	3112	AppLaunch.exe	98
PID 1228 wrote to memory of 4768	1228	Gm7Ih8Fp.exe	104
PID 1228 wrote to memory of 4768	1228	Gm7Ih8Fp.exe	104
PID 1228 wrote to memory of 4768	1228	Gm7Ih8Fp.exe	104

C:\Users\Admin\AppData\Local\Temp\NEAS.30ec8753ba08b1b439e43e84a4f02e90.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.30ec8753ba08b1b439e43e84a4f02e90.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3440
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YN6ZE6SU.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YN6ZE6SU.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1128
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf3YE1mZ.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf3YE1mZ.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4072
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Gm7Ih8Fp.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Gm7Ih8Fp.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1228
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Jw66Oq4.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Jw66Oq4.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:880
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 540
        7⤵
        Program crash
        
        PID:308
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 540
        7⤵
        Program crash
        
        PID:2404
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 140
        6⤵
        Program crash
        
        PID:5100
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2xW389rQ.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2xW389rQ.exe
        5⤵
        Executes dropped EXE
        
        PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 880 -ip 880
1⤵
PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3112 -ip 3112
1⤵
PID:3556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YN6ZE6SU.exe

Filesize
921KB

MD5
4b10ff31caa8c8740c7da578b790bc71

SHA1
d37378d119b76396b8e6d3eeb0904117e2a0aa73

SHA256
0d07e67057866c842a1f16e6d8cdd7673cdc0d7993dcf2546c220592f10a38e9

SHA512
a396aa2fb105bb35b64362283b4f1a7268dcbd1a9a56c07809c821d5e704015cc18fad43381f5f652b0c5a2e8c1ed0866374b978de6ea0271028f09b507bda68

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YN6ZE6SU.exe

Filesize
921KB

MD5
4b10ff31caa8c8740c7da578b790bc71

SHA1
d37378d119b76396b8e6d3eeb0904117e2a0aa73

SHA256
0d07e67057866c842a1f16e6d8cdd7673cdc0d7993dcf2546c220592f10a38e9

SHA512
a396aa2fb105bb35b64362283b4f1a7268dcbd1a9a56c07809c821d5e704015cc18fad43381f5f652b0c5a2e8c1ed0866374b978de6ea0271028f09b507bda68

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf3YE1mZ.exe

Filesize
632KB

MD5
105971c816c28b2cd63f455d2951db4a

SHA1
801ebe9c89f3ba2ed8f378cdc73d266b6f8d66ed

SHA256
b05b8d41f42fa94dc9ec9902e15c86ef4b82d5f5b08830717f3a9d9d5d61146f

SHA512
e22b7848f89cb3b5fd2e954904093b4cda3d4a6904529e5aacb6bb9f3489695147d682a6371fb7cfc619514c5035f390f913e0215a2a2856dd0589cf6a49ad28

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf3YE1mZ.exe

Filesize
632KB

MD5
105971c816c28b2cd63f455d2951db4a

SHA1
801ebe9c89f3ba2ed8f378cdc73d266b6f8d66ed

SHA256
b05b8d41f42fa94dc9ec9902e15c86ef4b82d5f5b08830717f3a9d9d5d61146f

SHA512
e22b7848f89cb3b5fd2e954904093b4cda3d4a6904529e5aacb6bb9f3489695147d682a6371fb7cfc619514c5035f390f913e0215a2a2856dd0589cf6a49ad28

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Gm7Ih8Fp.exe

Filesize
436KB

MD5
5822ab4797e28a49bc2e0b6d7ecf8a0d

SHA1
aa41ea9a5644c59922657b79f93bc5a19852718a

SHA256
66026ff373fdd938d3aac4ebcb6360b4432233b15e17fba625f8da4d04b7c7e3

SHA512
ea3056a488cbe852e600c4ac7f0e8dcb420b9df94e1261a8b06ff8b3ec60846f2988488c2183607000747a7f6e7c3ebad6531e1ad89df9f1ea540c087391bcbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Gm7Ih8Fp.exe

Filesize
436KB

MD5
5822ab4797e28a49bc2e0b6d7ecf8a0d

SHA1
aa41ea9a5644c59922657b79f93bc5a19852718a

SHA256
66026ff373fdd938d3aac4ebcb6360b4432233b15e17fba625f8da4d04b7c7e3

SHA512
ea3056a488cbe852e600c4ac7f0e8dcb420b9df94e1261a8b06ff8b3ec60846f2988488c2183607000747a7f6e7c3ebad6531e1ad89df9f1ea540c087391bcbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Jw66Oq4.exe

Filesize
407KB

MD5
91ed0d51510f7e9f975493dd5cf1bb19

SHA1
16b4bdc9c6cd0fe944bfcfffea8755973cad7491

SHA256
7b847348a350fd8560edaeff4e917e14ae5855f6c705c0d067477922a78f28c7

SHA512
dd50d6d44d551b09359088480ac7e73bc4c1a3c9732a5858379c38180759fb7245e1ddeca27ecee5d49331867f6948b5189e2cdac9a94167c6f97289558f6ba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Jw66Oq4.exe

Filesize
407KB

MD5
91ed0d51510f7e9f975493dd5cf1bb19

SHA1
16b4bdc9c6cd0fe944bfcfffea8755973cad7491

SHA256
7b847348a350fd8560edaeff4e917e14ae5855f6c705c0d067477922a78f28c7

SHA512
dd50d6d44d551b09359088480ac7e73bc4c1a3c9732a5858379c38180759fb7245e1ddeca27ecee5d49331867f6948b5189e2cdac9a94167c6f97289558f6ba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2xW389rQ.exe

Filesize
221KB

MD5
bd98d090052a88e49c39a351ebeae0ca

SHA1
1b01fffe7725fdd4bdafc454d3260fbd28c7ce10

SHA256
8d375f9cfe8994b74a4b6ed46602762f3676e678a76243b32c9487e319b65760

SHA512
3a66fb3f37e5b51963e0ee96f0848cf90328e42ea0af50dbad0cbb281263cb2b91356e713c29f4e228e0a7babc1a3bd15822eba9ba3b26329dc1d204884f2dd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2xW389rQ.exe

Filesize
221KB

MD5
bd98d090052a88e49c39a351ebeae0ca

SHA1
1b01fffe7725fdd4bdafc454d3260fbd28c7ce10

SHA256
8d375f9cfe8994b74a4b6ed46602762f3676e678a76243b32c9487e319b65760

SHA512
3a66fb3f37e5b51963e0ee96f0848cf90328e42ea0af50dbad0cbb281263cb2b91356e713c29f4e228e0a7babc1a3bd15822eba9ba3b26329dc1d204884f2dd0

Download Submit
memory/3112-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3112-30-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3112-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3112-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4768-39-0x0000000007D10000-0x0000000007DA2000-memory.dmp

Filesize
584KB

Download
memory/4768-37-0x00000000740E0000-0x0000000074890000-memory.dmp

Filesize
7.7MB

Download
memory/4768-38-0x00000000081E0000-0x0000000008784000-memory.dmp

Filesize
5.6MB

Download
memory/4768-36-0x0000000000E20000-0x0000000000E5E000-memory.dmp

Filesize
248KB

Download
memory/4768-40-0x0000000007F70000-0x0000000007F80000-memory.dmp

Filesize
64KB

Download
memory/4768-41-0x0000000007ED0000-0x0000000007EDA000-memory.dmp

Filesize
40KB

Download
memory/4768-42-0x0000000008DB0000-0x00000000093C8000-memory.dmp

Filesize
6.1MB

Download
memory/4768-43-0x0000000008090000-0x000000000819A000-memory.dmp

Filesize
1.0MB

Download
memory/4768-44-0x0000000007FC0000-0x0000000007FD2000-memory.dmp

Filesize
72KB

Download
memory/4768-45-0x0000000008020000-0x000000000805C000-memory.dmp

Filesize
240KB

Download
memory/4768-46-0x0000000008790000-0x00000000087DC000-memory.dmp

Filesize
304KB

Download
memory/4768-47-0x00000000740E0000-0x0000000074890000-memory.dmp

Filesize
7.7MB

Download
memory/4768-48-0x0000000007F70000-0x0000000007F80000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads